Two years after the OPM data breach: What government agencies must do now

Recent reports show declining grades for government agencies’ efforts to improve cybersecurity. Experts weigh in on what needs to be done.

In addition, the audit showed a significant staffing problem, which caused the OPM to backslide in its compliance with the Federal Information Security Management Act. "There has been an extremely high employee turnover rate for the ISSO positions, and OPM has struggled to backfill these vacancies," said Michael Esser, OPM's assistant inspector general for audits, in his report. "In addition, there have been five different individuals in the role of the chief information officer in the past three years."

Finally, there's the problem of old equipment. BeyondTrust surveyed federal IT managers earlier this year and found that 47 percent of federal agencies still use Windows XP. "Windows XP is highly insecure and many of the newer anti-virus, multi-factor authentication, and even security tools just do not work on unsupported platforms anymore," says Morey Haber, VP of technology at Phoenix-based. "Commercial businesses will not make money or develop for platforms that are end of life. There is no sustainability model for it."

According to Gartner's Holgate, legacy systems in the federal government have an average age of 14 years, compared to 10 in the private sector.

In addition to ripping and replacing, one option is to move to cloud-based infrastructure. Here, too, the federal government lags behind. "Federal agencies reported in 2016 that they spend 3 percent of their total IT expenditures on cloud services," says Holgate. "That is significantly less than private sector peers, for which benchmarking shows 12 percent."

Moving to the cloud isn't necessarily more secure, says Ken Kartsen, VP of federal sales at Santa Clara, Calif.-based McAfee LLC. Kartsen has been working with federal government clients in various areas of cybersecurity for nearly 20 years. "But if you look at the underlying infrastructure, especially infrastructure as a service, you at least start with a safe and secure system," he says.

He has seen some progress in this area, he adds. "Two years ago, I didn't know of any large component of infrastructure that was outsourced to the cloud," he says. "Two years later, it's very different. The momentum is definitely there."

The FedRamp program, for example, pre-approves cloud vendors to make it easier and faster for government agencies to move to the cloud. "That shows to me that the government is moving very aggressively," he says. "I think we're going to see a lot more infrastructure outsourced over the next couple of years."

Long-term impact is yet to be felt

The OPM breach was unlike most other breaches, and creates problems that can't be fixed by reissuing credit cards and offering credit monitoring services. Nearly 22 million Social Security numbers were breached, which cannot be reissued. And that's just the start.